Like its Starbucks namesake, the general-purpose Java programming language comes in many different strengths and flavors. But which ones may be harmful to the health of your PC?

The Department of Homeland Security, along with numerous security experts, have recommended that whenever possible, businesses should pull the plug on Java running in their browsers. But the warnings have led to mass confusion: Do they also apply to the general Java runtime environment? And what about JavaScript, Enterprise JavaBeans, embedded Java, JavaFX, Java running on Android or anything else with Java in its name?

The confusion is compounded by the difficulty of finding and deactivating Java plug-ins, especially because the latest versions of the Java browser plug-in may not accurately report when they are -- or aren't -- installed. "Your browser lies: Java 7 Update 10 introduced a new checkbox that disables the use of Java in all browsers," says information security consultant Michael Horowitz on his Java version testing site. "By and large, this is a good thing, but there seems to be a failure to communicate between Java and many Web browsers. As a result, all the browsers I have tried so far incorrectly report that Java is not installed when, in fact, it may be installed but this new security feature has been enabled."

Let's clear up some confusion. First, the current Java-removal advice -- and security issues -- don't apply to Enterprise JavaBeans, embedded Java, JavaFX or JavaScript. "A common mistake is to confuse Java with JavaScript -- which is technically called ECMAScript," says Joe DeMesy, a senior analyst at information security consultancy Stach & Liu, via email. "These are, in fact, entirely different programming languages. While JavaScript has its own interesting history of security problems, the recently disclosed vulnerabilities do not affect JavaScript -- only Java's browser plug-in."

For security reasons, Java developer Sun (now part of Oracle) has restricted which parts of the Java runtime environment the browser plug-in can access. But DeMesy says the recent zero-day bugs have allowed attackers to use malicious websites to exploit plug-ins and gain access to the full Java runtime environment. As a result, attackers can use the Java runtime environment installed on a PC to execute arbitrary code.

The Java browser plug-in risk has been heightened by the fact that Oracle has taken its time to remediate vulnerabilities once they've been disclosed by bug hunters. By some accounts, some of Oracle's patches have also been rushed and sloppy. Also, Java security updates aren't reaching end users because Oracle has failed to offer automatic Java updates, as Adobe did to address out-of-control exploits of the Flash browser plug-in. As a result, the Java plug-in has become an attack magnet.

Notably, a recent study of the Blackhole crimeware kit found that Java bugs were being used to exploit systems in 77% of all successful attacks, compared with 18% of attacks involving a specific PDF vulnerability, 2% involving other PDF vulnerabilities, followed by MDAC, HCP and Flash bugs (1% each). But many of those exploited Java bugs were patched months ago, if not earlier, which leads to only one conclusion: "Java security fixes are not being installed," writes report author and SophosLabs researcher Gabor Szappanos. "Users don't consider Java a direct threat and don't rush into updating their systems." Or perhaps users simply don't know it's even running on their system.

Despite mounting criticism of its handling of Java in the face of regular zero-day vulnerabilities and in-the-wild exploits, Oracle officials haven't sharpened their game. An Oracle spokeswoman this week responded to requests for comment on the latest zero-day vulnerability -- first publicly documented Wednesday by security reporter Brian Krebs -- by pointing to Oracle's security advisory, issued Sunday to accompany Oracle's patch for the two zero-day vulnerabilities discovered last week. When informed by Ars Technica that the update has no information about the new zero-day bug, seen for sale by Krebs about 24 hours after the update was released, the Oracle spokeswoman replied that the company had no additional comment.

Interestingly, JavaScript offers a solution to the Java-meets-browsers security problem. "With modern versions of JavaScript there is little to no need for developers to use Java in the browser," says Stach & Liu's DeMesy. "This is the reason these vulnerabilities are so interesting -- because while the Java browser plug-in is commonly installed, it's not commonly used."

Many capabilities handled via Java browser plug-ins are already available elsewhere, and that will no doubt be the route many end users -- and hopefully developers -- will now pursue. "If WebEx and GoToMeeting didn't need Java, I wouldn't have installed it in the first place," reports one InformationWeek reader. "I've found that you can install their client and that lets you do away with Java. Goodbye Java. I have enough to worry about."

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.